Using certificate-based authentication for identification of VPN tunnel peers ismuch stronger than using a simple Pre-Shared Key but it is more difficult toconfigure and manage.
Certificate authentication requires a PKI structure. Depending on the setup,each side may utilize its own certificate authority (CA) or they may share acommon CA. This example utilizes a different CA on each node to more closelyresemble connecting to third parties.
See also
CA and certificate entries can be created and imported in the GUI by theCertificate Manager.
Required Information¶
Endpoint A:
Item | Value |
|---|---|
Hostname | office.vpn.example.com |
WAN IP Address |
|
Endpoint B:
Item | Value |
|---|---|
Hostname | home.vpn.example.com |
WAN IP Address |
|
Create CA¶
First, create a Certificate Authority (CA) on each side:
On Endpoint A:
Navigate to System > Certificates, CAs tab
Click
AddSet the options as follows:
- Descriptive Name:
Office VPN CA- Method:
Create an internal Certificate Authority
- Randomize Serial:
Checked
- Common Name:
office-vpn-ca
Leave the rest of the fields at their default values or adjust to suit localpreferences
Click Save
Click
to export this CA as a file in the browser
Add
to export this CA as a file in the browserOn Endpoint B:
Navigate to System > Certificates, CAs tab
Click
AddSet the options as follows:
- Descriptive Name:
Home VPN CA- Method:
Create an internal Certificate Authority
- Randomize Serial:
Checked
- Common Name:
home-vpn-ca
Leave the rest of the fields at their default values or adjust to suit localpreferences
Click Save
Click
to export this CA as a file in the browser
Import Peer CAs¶
Next, import the new CA entries into the peer. For example, import the Home CAto the Office side, and vice versa.
Note
This step only requires the certificate data, not the key. The keybelonging to the CA should not be copied off the firewall where it wascreated.
On Endpoint A:
Navigate to System > Certificates, CAs tab
Click
AddSet the options as follows:
- Descriptive Name:
Home VPN CA- Method:
Import an existing Certificate Authority
- Certificate Data:
Paste the contents of the exported
Home VPN CA.crtfile.
Click Save
On Endpoint B:
Navigate to System > Certificates, CAs tab
Click
AddSet the options as follows:
- Descriptive Name:
Office VPN CA- Method:
Import an existing Certificate Authority
- Certificate Data:
Paste the contents of the exported
Office VPN CA.crtfile.
Click Save
Create Endpoint Certificates¶
On Endpoint A:
Navigate to System > Certificates, Certificates tab
Click
AddSet the options as follows:
- Method:
Create an internal Certificate
- Descriptive Name:
Office VPN Certificate- Certificate Authority:
Office VPN CA
- Common Name:
office-vpn-cert- Certificate Type:
User Certificate
- Alternative Names:
- Type:
FQDN or Hostname
- Value:
office.vpn.example.com
Click
AddSet the new row options to:
- Alternative Names:
- Type:
IP Address
- Value:
198.51.100.16
Note
If the IP address is dynamic, skip this step or use the LAN IP address.
Leave the rest of the fields at their default values or adjust to suit localpreferences
Click Save
On Endpoint B:
Navigate to System > Certificates, Certificates tab
Click
AddSet the options as follows:
- Method:
Create an internal Certificate
- Descriptive Name:
Home VPN Certificate- Certificate Authority:
Home VPN CA
- Common Name:
home-vpn-cert- Certificate Type:
User Certificate
- Alternative Names:
- Type:
FQDN or Hostname
- Value:
home.vpn.example.com
Click
AddSet the new row options to:
- Alternative Names:
- Type:
IP Address
- Value:
198.51.100.17
Note
If the IP address is dynamic, skip this step or use the LAN IP address.
Leave the rest of the fields at their default values or adjust to suit localpreferences
Click Save
Setup IPsec VPN¶
On both firewalls, configure the IPsec tunnel as described inIPsec Site-to-Site VPN Example with Pre-Shared Keys, with the following exceptions:
Endpoint A:
- Authentication method:
Mutual Certificate
- My Identifier:
Set appropriately to match the certificate for this endpoint
- Peer Identifier:
Set appropriately to match the certificate of the peer
- My Certificate:
Office VPN Certificate
- Peer Certificate Authority:
Home VPN CA
Endpoint B:
- Authentication method:
Mutual Certificate
- My Identifier:
Set appropriately to match the certificate for this endpoint
- Peer Identifier:
Set appropriately to match the certificate of the peer
- My Certificate:
Home VPN Certificate
- Peer Certificate Authority:
Office VPN CA
Matching Certificate and Identifiers¶
In order for the IPsec daemon to properly match a certificate and its keys to apeer, the local and peer identifier must match data in the certificateexactly.
Warning
Do not place quotes (single or double) around the identifier values.
There are several ways to accomplish this matching. The key factors are:
The IPsec daemon must be able to confirm that an endpoint matches theexpected identifier, which matches a peer to a specific tunnel.
The IPsec daemon must be able to match that identifier to a certificate andvalidate its trust, which confirms the identity and authenticates the tunnelpeer.
The following identifier types are the best practices to use with certificateauthentication:
- Fully Qualified Domain Name:
This choice can work with fully qualified domain names or short hostnames. Ifthe certificates were created as specified in Create Endpoint Certificates,use the full hostname such as
office.vpn.example.comorhome.vpn.example.com. This is the easiest choice and most likely tosucceed, assuming the SAN value is present in the certificate.Modern certificates typically include the certificate CN as a SAN entry, sothe CN may also be used if it resembles a hostname (e.g.
office-vpn-cert).Check the certificate properties to ensure it is present as an FQDN SAN entry.Warning
This mode will not work if the CN contains spaces or other characters notcompatible with hostnames.
- ASN.1 Distinguished Name:
The full ASN.1 Distinguished Name of the certificate. This is similar to thecertificate subject but has stricter rules about its order.
This can be formatted in several ways so long as it matches the data in thecertificate exactly, for example:
/CN=host.example.com/C=US/ST=Texas/L=Austin/O=Example CoCN=host.example.com, C=US, ST=Texas, L=Austin, O=Example CoCN = host.example.com, C = US, ST = Texas, L = Austin, O = Example Co
Note
The type, number, and order of fields will vary depending on how thecertificate was made.
To find this string, inspect the certificate in one of the following ways:
From the Certificate Manager, Certificates tab, find the entry andclick the
icon to expand the certificate details. In thedetails, copy the contents of the DN: field exactly.DN: /CN=host.example.com/C=US/ST=Texas/L=Austin/O=Example CoUse OpenSSL on a copy of the certificate contents and look for theSubject contents:
$ openssl x509 -text -noout -in mycert.crt | grep Subject: Subject: CN = host.example.com, C = US, ST = Texas, L = Austin, O = Example Co
If the certificate is configured in IPsec already, look at how
strongSwanreports the certificate subject:$ swanctl --list-certs | grep subject subject: "CN=host.example.com, C=US, ST=Texas, L=Austin, O=Example Co"
Warning
When copying these values remember that they must be entered exactly asshown but without any single or double quotes around the string. Onlyinclude the DN contents and not any headers or labels such as
DN:orSubject:.- My IP Address / Peer IP Address:
These choices are viable if all of the following items are true:
Both endpoints have static IP addresses
These static IP addresses are used as the Remote Gateway address on eachside of the IPsec tunnel
The static IP address of an endpoint is present in its certificate as a SAN
- IP Address:
Similar to the My IP Address / Peer IP Address case above, but instead ofusing endpoint static IP addresses, uses a pre-determined local addressesinstead. This could be the LAN IP address or another agreed upon address whichdoes not change. This value does not need to match the Remote Gatewayaddress in this case.
The value must be present as an IP address type SAN in the certificate
In most cases, this is not ideal, and the hostname is easier to use instead.
icon to expand the certificate details. In thedetails, copy the contents of the DN: field exactly.Troubleshooting¶
If the IPsec daemon cannot match an identifier to a known certificate, thefollowing error is logged on one or both of the peers:
charon[5319]: 08[IKE] <con100000|1> no trusted RSA public key found for '<identifier>'In that case:
Check over all of the identifier data again to ensure that the valuesexactly match an appropriate certificate field (DN, SAN, etc.)
If using an ASN.1 DN, ensure the order of DN/subject components exactlymatches the order reported by the DN field in the Certificate Manager,
strongSwan, oropensslEnsure there are no single or double quotes around the identifier value in theGUI
Ensure the correct Peer Certificate Authority is imported and selected
Attempt to initiate the tunnel in both directions manually and compare output(Manually connect IPsec from the shell).
